We are encountering a 401 error when making basic authenticated API calls to the X2CRM endpoints (index.php/api2/Contacts). Unauthenticated API calls to other X2CRM VoIP endpoints are successful without issue, and basic authentication works on a test page in the same directory using the same PHP-FPM pool. API calls previously working successfully.
The problem is that API calls to index.php/api2/Contacts or similar endpoints in the X2CRM system are returning a 401 error with "missing user credentials." Basic authentication is working correctly on a test page in the same directory and using the same PHP-FPM pool, and unauthenticated API calls to other X2CRM voip endpoints index.php/api/voip/data/(phone number) are successful without issue. The credentials for the API calls are confirmed to be present in the database
We tried making basic authenticated API calls to the X2CRM endpoints (index.php/api2/Contacts, etc.) using Postman and cURL. We expected the API calls to be successful and return the expected data. However, we encountered a 401 error and the response stated "Missing user credentials". We confirmed that the credentials being used are valid and present in the database. We also tested a basic authentication on a test page in the same directory and it was successful, allowing entry into the directory. We need help resolving the issue with the basic authenticated API calls.
The response that you have shared
Missing user credentials
means that the credentials that you are trying to send are not being sent with the request.
If those credentials were being sent correctly, then, the error would have been:
Invalid user credentials
or, something else in the response.
Furthermore, the index.php/api is different from index.php/api2 so you will need to verify it in the api2 controller. You can send a request to the following Endpoint to verify if your credentials work with the builtin APIs:
https://<YOUR_CRM_DOMAIN>/index.php/api2/appInfo.json
Moreover, the documentation clearly indicates that 401 error is related to Authorization, so you will need to fix that first.
Related
I've configured Cognito to use SAML Identity Provider and did all the setup on AD side, AD accepts the request and allow me to sign-in, then it responds to the configured idpresponse endpoint with the SAMLResponse form data value as you can see in the image below, but Cognito returns a 302 redirect with
location: http://localhost:3000/auth/callback#error_description=Error+in+SAML+response+processing%3A+No+SAML+assertion+found+in+the+SAML+response.+&error=server_error
I'm not sure what is going on, I tried to modify the POST request to idpresponse via curl and it is definitely reading the SAMLResponse form data because if I modify it I get invalid response error.
How can I troubleshoot it?
We wish to use our own httponly strict cookie with access and refresh token in it for our microservices architectures.
We are primary using OKTA Authentication API to log users with our own custom Sign-in page.
We were able to get the access_token on the authorize endpoint using the responsetype=token with sessionToken and redirecting the result as a form_post on our back-end endpoint.
I was unable to retrieve the refresh_token despite adding the offline_access in the scope even if it is checked in my okta application setting.
I don’t want to use resource password flow since we prefer using sessionToken which will work with multi factor if needed in the future.
I also try using the code flow and redirecting the result on our back-end but since the code flow is client-side it’s return this error "PKCE code verifier is required when the token endpoint authentication method is ‘NONE’." This error occur even if we choose a .NET application
How can we retrieve the refresh_token server-side with Okta?
Responded to your post here https://devforum.okta.com/t/getting-refresh-token-server-side-sessiontoken/12419/3.
Aside from making a call directly to /token with your access token you can also check our Early Access feature called Refresh Token Rotation. Let us know if this helps!
I was able to use the CODE flow and redirect from server-side to the authorized endpoint like so:
https://{YOUROKTADOMAIN}/oauth2/default/v1/authorize?client_id={YOURCLIENTID}&response_type=code&scope=openid%20offline_access&response_mode=query&redirect_uri={YOURSERVERSIDEGETURI}&state={Guid.NewGuid()}&sessionToken={SessionToken From Auth API}
This call will post back to my same server, so i can handle token myself and create my own cookie.
I have been struggling with getting Windows authentication to work on IIS10 for a .Net Core API. The error I am getting is 401.2:
You are not authorized to view this page due to invalid authentication headers.
I have made the following configurations:
Only windows authentication has been enabled on the site (Anonymous is disabled)
SPNs have been created for the site and the server has been enabled for delegation.
The application pool is configured to run under a domain account
Both cURL and Postman give me the same result. Interestingly, when I make use of the SwaggerUI on the API directly, I get the expected behavior, but when making external calls (from another server), I get the 401.2 error.
Some additional content from the error is that the Logon Method and Logon User is Not Yet Determined.
How do I resolve this issue?
I was under the assumption that Postman and cURL were sending the NTLM credentials/token as a part of the request by default, but was incorrect. I had to enable Failed Request Tracing on IIS and saw that they were trying to make use of anonymous authentication. Apparently Postman does not support NTLM authentication so I made use of cURL and appended the credentials. With this I could get the authentication to work with cURL.
I am developing an app and I am trying to save user data to a third-party service. The service allows me to access the users' resources via OAuth. I have finished implementing the OAuth flow and it works as follow (when no error occurs):
I redirect the user to the authentication page of the service provider, providing the following parameters in the URL:
?redirect_uri=[my_redirect_uri]&client_id=[my_client_id]&response_type=code
The user authenticate him/herself
The service redirect the user to the redirect_uri and pass me the authorization code in the URL parameter: code=[authorization_code]
I get the access_token from the auth_code
I can now access the user data
You can see the diagram here.
I found out that for this particular service, when the user fails to authenticate him/herself (step #2), the Authorization Server immediately redirect the User-Agent to my redirect_uri and in the URL parameter I got error=access_denied.
I find this not a user-friendly experience because the user can make a typo or simply forget his/her credentials.
I checked the OAuth 2.0 Authorization Framework RFC. It seemed that there isn't any protocol on resource owner's authentication failure. I see in the RFC that there are protocols for Client authentication failure or Authorization failure. However, it is not stated how the Authorization Server should respond when it fails to authenticate the resource owner.
I did my own research by trying to login to Medium using Facebook OAuth. I see that when I fail to login, I am still in the Facebook authentication page, and Facebook notify me that my credentials is wrong. I can enter a wrong credentials up to 3 times, after which, the flow will break (the parameters in the URL associated with the OAuth disappears). When I enter the right credentials and deny Medium to access my profile, then, I was redirected to Medium with error=access_denied
Is what Facebook did the best practice? Is there a policy on the number of attempts allowable for resource owner authentication? What is the proper response when the Authorization Server fails to authenticate the resource owner?
The response with error=access_denied actually complies with the OAuth2 specification. The section (4.1.2.1.) on error responses for the authorization endpoint when using the authorization code grant lists several possible error codes and says the following about the access_denied:
access_denied
The resource owner or authorization server denied the request.
(emphasis is mine)
What does not feel right is treating invalid credentials immediately as an error and not letting the user retry the password input in order to safeguard occasional typos. However, that's left as the discretion of the authorization server, there's nothing (that I'm aware) in the specification that dictates when should the error be returned so not allowing the user to retry, although okay by the specification, is possibly bad UX.
OAuth gives only a reccomandation on this case, it doesn't limit the number of attempts allowable for resource owner authentication.
If the authorization server observes multiple attempts to exchange an
authorization code for an access token, the authorization server SHOULD attempt to revoke all access tokens already granted based of the compromised authorization code.
A new website I'm working has the following components:
AngularJS/HTML5 Front-End
Web API Back-End that supports Front-End
OAuth Server - Authenticates user and provides tokens
The workflow for an unauthenticated user:
Views Front-End, which calls Web API to determine if authenticated
If not authenticated the user is redirected to OAuth Server
After successful authentication, the browser is redirected back to website with Auth Code
Auth Code is sent to Web API
Web API logic requests Access Token from OAuth server
A cookie is used to associate the token to the user
Additional requests send the cookie, which is used to authorize the user.
My question is what should I send for the HTTP Status Code for Step 1? Normally you send 401 for not unauthorized, but that is if you are using HTTP Authentication. Since the authentication is handled by a different server, that wouldn't make sense. 403 doesn't seem correct either because it implies a that the status will not change.
Should I just use a generic 400 or a custom 400.X code?
Although there is nothing wrong with sending HTTP 401 Unauthorized as a response in your case, a much better alternative would be to send HTTP 302 Found, which would imply that when the user was trying to access the front-end view, the applicable resource in this case (OAuth Server Url) was found somewhere else.
You can mention the OAuth Server Url in the Location header of the response, so the client would redirect the unauthenticated user to the intended location.
HTTP 302 Found
Location: https://oath-server-url.com